389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base . Security Fix: * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI could be read by an anonymous user. This could lead to leakage of sensitive information. * An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. * It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. The CVE-2016-5416 issue was discovered by Viktor Ashirov ; the CVE-2016-4992 issue was discovered by Petr Spacek and Martin Basti ; and the CVE-2016-5405 issue was discovered by William Brown . Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the 389 server service will be restarted automatically. 5. Bugs fixed : 190862 - [RFE] Default password syntax settings don"t work with fine-grained policies 1018944 - [RFE] Enhance password change tracking 1143066 - [RFE] The dirsrv user/group should be created in rpm %pre, and ideally with fixed uid/gid 1160902 - search, matching rules and filter error "unsupported type 0xA9" 1196282 - substring index with nssubstrbegin: 1 is not being used with filters like 1209128 - [RFE] Add a utility to get the status of Directory Server instances 1210842 - Add PIDFile option to systemd service file 1223510 - nsslapd-maxbersize should be ignored in replication 1229799 - 389-ds-base: ldclt-bin killed by SIGSEGV 1249908 - No validation check for the value for nsslapd-db-locks. 1254887 - No man page entry for - option "-u" of dbgen.pl for adding group entries with uniquemembers 1255557 - db2index creates index entry from deleted records 1257568 - /usr/lib64/dirsrv/libnunc-stans.so is owned by both -libs and -devel 1258610 - total update request must not be lost 1258611 - dna plugin needs to handle binddn groups for authorization 1259950 - Add config setting to MemberOf Plugin to add required objectclass got memberOf attribute 1266510 - Linked Attributes plug-in - wrong behaviour when adding valid and broken links 1266532 - Linked Attributes plug-in - won"t update links after MODRDN operation 1267750 - pagedresults - when timed out, search results could have been already freed. 1269378 - ds-logpipe.py with wrong arguments - python exception in the output 1270020 - Rebase 389-ds-base to 1.3.5 in RHEL-7.3 1271330 - nunc-stans: Attempt to release connection that is not acquired 1273142 - crash in Managed Entry plugin